Re: [Samba] XP auto enrollment error; TEMP profile
- Date: Sun, 1 Oct 2017 22:17:17 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] XP auto enrollment error; TEMP profile
On Sun, 1 Oct 2017 13:43:32 -0700
ToddAndMargo via samba <samba@xxxxxxxxxxxxxxx> wrote:
> On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote:
> > If this is a customer rather than your employer you may find that
> > you need to just part ways, which I know isn't easy. If you
> > provide a customer with your professional advice, and they choose
> > to ignore it, then I think you can't really help them.
> Hi Gaiseric,
> Easier said than done. We are still suffering from the endless
> recession out in these parts, although things have started to
> SLOWLY change over the last 10 months. If I do not accommodate
> the customer's wishes, I will not be able to feed my family. And
> replacing the customer is impossible in this business climate.
> Bear in mind that I am considered a unnecessary expense to be
> eliminated. At least this customer has not accused me of writing
> viruses so I can charge to remove them. I am between a rock and
> a hard place. I either fix this or lose my shirt.
I understand where you are coming from, you have to earn a living and
you have to do what your customer wants. You can advise till you are
blue in the face, but sometimes the customer just doesn't hear you.
> > Is the customer using XP for all client machines or just select
> > machines that may run some legacy app?
> The app will run on any version of Windows. The reason for the XP
> is that the customer doesn't believe in fixing what ain't broke.
> (That is a conspiracy to separate him from his money don't you know).
Unfortunately, this isn't a rare occurrence and it isn't only
customers that don't want to invest in new equipment or software. I
once had a discussion with a software supplier about upgrading their
main package to run on Windows 7 (this was about 10 months before XP
went EOL), His reply was something along the lines of 'Don't bother,
Microsoft wont EOL XP, and if they do, you can still use it'. Look
where that got us, 'wanacry'
> > Do you have at least one Win 7 machine?
> Not a single one!
> > I would validate the
> > connections with the win 7 machine before you start trying to fix
> > XP. That would at least prove that the server is correct and XP
> > is the problem.
> > If this is a "classic" domain controller then you DO have to use
> > NTLM (but definately NOT lanman.) If XP supports NTLMv2 then I
> > think it will negotiate that with Samba. I think Microsoft
> > released patches for XP for WanaCry, even tho XP is otherwise
> > unsupported. So some of the security concerns are partially
> > mitigated. Although you should make sure that the antivirus is
> > enabled and that the machine is ONLY used for the absolutely
> > essential functions (no web browsing, no e-mail.)
> > Some of the default "signing" options in smb.conf may have changed
> > with the newer versions of samba. You may need to turn "server
> > signing" , "client signing" and "client ipc signing" to off. You
> > may also want to check the server and client min and max protocol
> > options on samba. XP may have problems with SMB2.
> > Can you try using smbpasswd or pdbedit to precreate the machine
> > accounts ? I found sometimes certain attributes weren't properly
> > created when joining machines to domains.
> I used smbpasswd. And I am using DDNS (Dynamic Domain Name Service).
> Each computer showed up in both my forward and reverse tables.
> I am not much of a fan of Domain Controllers. This is five computers
> and I just don't see that it is worth the effort for any "perceived"
> extra functionality. So I am slowly reverting them back to a
I almost suggested doing this when you said there was only 5
machines, It is probably the best thing you can do. Your main trouble
was that you went with a PDC rather than an AD DC, but for 5 machines,
either was overkill, especially if they are all in the same location.
To unsubscribe from this list go to the following URL and read the